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All information is derived 
from MANDIANT observations 
in non-classified environments. 

Information has been sanitized where 
necessary to protect our clients' interests. 
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Remediating intrusions by targeted, persistent 
adversaries requires a different approach 
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Targeted 

— The adversary chose your organization for a reason 

— Today, they want some piece of electronic information 

— ...And will likely want more in the future 

— They are not opportunistic intruders 
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Persistent (adopted from Richard Bejtlich's definition of APT) 

— The adversary is formally tasked to accomplish a mission 

— Like an intelligence unit, they receive directives and work to 
satisfy their masters 

— Persistent does not necessarily mean they need to 
constantly execute malicious code on victim computers 

— They maintain the level of interaction needed to execute 
their objectives 
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9 Threat (adopted from Richard Bejtlich's definition of APT) 

— The adversary is not a piece of mindless code. This point is 

crucial. 

— Some people throw around the term "threat" with 
reference to malware 

— If malware had no human attached to it, then most malware 
would be of little worry (as long as it didn't degrade or deny 
data) 

— The adversary here is a threat because it is organized and 
funded and motivated 

- Some people speak of multiple "groups" consisting of 
dedicated "crews" with various missions 
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Traditional IR Doctrine 


3.3.1 Choosing a Containment Strategy 


When an incident has been detected and analyzed, it is i mportant to contain it before the spread of the 


incident overwhelms resources or the damage increases. I Most incidents require containment, so it is 
important to consider it early in the course of handling each incident. An essential part of containment is 
decision-making (e.g., shut down a system, disconnect it from a wired or wireless network, disconnect its 
modem cable, disable certain functions). Such decisions are much easier to make if strategies and 
procedures for containing the incident have been predetermined. Organizations should define acceptable 
risks in dealing with incidents and develop strategies accordingly. 


NIST 

National Institute of 
Standards and Technology 

U.S. Department of Commerce 


Special Publication 800-611 
Revision 1 
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...updated for the modern era 

















Targeted attack 


• Recommended approach 


— Background: IR = Investigation + Remediation 

— Prioritizing: The Remediation Planning Matrix 

— The Remediation Event 

— Posturing 

— Strategic Activities 
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Company A 

High tech manufacturer 

Global presence 

20,000 employees 

24,000 workstations and 
laptops, 3,000 servers 



Company B 

Supplier to company A 
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Company C 

A service provider 


Targeted, Persistent 
Attacker 

Works on a regular schedule - 
this is a job 
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APT Attack: Day One 


Company B 




Company A 




Attacker has 
compromised 
Company B. 


The attacker 
now owns 
Bob's 

workstation. 


Attacker sends phishing 
emails from Company B to a 
handful of employees of 
Company A, subject line: "Re: 
Explanation of new pricing". 
Email contains malicious PDF 
attachment. 


Bob opens the 
attachment. 


The attacker, via the 
command and control 
(C2) server, executes 
commands on the 
victim PC. 
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A backdoor installed 
on Bob's 

workstation "calls 
home" by making an 
HTTPS request to a 
website. 


("Hop point" 
infrastructure 
was already 
deployed.) 
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APT Attack: Days Two - Four 





Attacker queries Active Directory 
for a user and computer listing. 


Company A 





Attacker dumps all users' 
password hashes from Active 
Directory, using the domain 
admin's credentials. 





Attacker uses WCE to obtain 
admin and service account 
passwords from Bob's system. 


Attacker infects another system 
with a different malware 
variant, using the domain 
admin credentials. 


Attacker connects to IT adrjiins' PCs 
using a service account he [obtained 
from Bob's system. Uses WjCE to obtain 
hashes. J 


another.bad.com 


Attacker connects to engineer's 
workstation using compromised 
account; confirms location of 
"crown jewels" 


Connects to Alice's system, 
using her password... 

...from there connects to the 
server, and pulls back 
engineering data... 

...and encrypts them into 
RAR archives. 



(network boundary) 
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Takeaways: 

• The organization was targeted for a reason 

• The attacker's goals 

— Accomplish their mission 
— Remain undetected 
— Maintain access to the network 

• Defense is not what it used to be 

— Cannot "prevent" - instead think "inhibit" 

— And, focus on detecting and responding quickly 
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• Win by: 

— Inhibiting 

• Make the attacker's job difficult 

• ...but realize he will succeed in establishing a foothold 

— Detecting 

• Capability to proactively identify anomalies 

• Ability to quickly answer "investigative" questions 

— Enhancing response capabilities 

• Investigate + remediate in hours, not months/years 
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Response = Investigate + Remediate 


Investigation 


Remediation 


Scope of compromise 
Attacker TTPs 
Data loss 

Attribution and attacker 
motivations 


Mitigate current threat 

Make it more difficult for future 
attackers 

More rapidly detect future 
activity 

Analyze lessons learned and 
strengthen security program 
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Attacker TTPs drive the approach 

Attacker TTPs 

Key 

Remediation Tactics 

• Established a foothold 

• 

Isolate environment during 

• Lateral movement capability 


remediation 

• Methods of evading detection 

• 

Execute contain/eradicate 

• Specific malware and tools 


activities over a short time period 

deployed 

• 

Block C2 and implement rapid 

• Specific command-and-control 


alerting mechanism 

(C2) networks 

• 

Inhibit attacker and improve 
visibility to detect future attacker 
activities 
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Remediation phases 


Remediation encompasses containment, eradication and recovery. 

A remediation event as a short, defined period of time during which 
an organization 

Mitigates the current threat 

Implements enhancements to directly frustrate attackers' 
techniques 


Posturing Remediation Event(s) Strategic 
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The Remediation Event 


1. Isolate WAN from the Internet. 

2. Block egress traffic to attacker C2 addresses & domains. 

3. Replace compromised systems. 

4. Reset passwords. 

5. Implement technical countermeasures that directly address the 
attack lifecycle: 

a) Secure Windows 'local administrator' accounts 

b) Patch third-party desktop applications 

c) Implement application whitelisting (critical systems) 

d) Block workstation-to-workstation communication 

6. Validate effective implementation of tasks 

7. Reconnect Internet 

*NB: One size does not fit all. 

black hart* 

USA 2012 




The Remediation Event 





Remediation phases 


Remediation is preceded by posturing 

Implement triage countermeasures that do not disrupt the 
investigation 

Plan for the remediation event(s) 

Instrument the environment to make it more "investigation-ready" 

Remediation is followed by the implementation of strategic initiatives 

Longer-term security improvements that are not tactically 
necessary for remediation 


Posturing Remediation Event(s) Strategic 
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Caveats 


Some situations warrant immediate containment, e.g 
when 


Attacker knowing that you are remediating 
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[has less impact than] 


Consequences of not containing 
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Caveats in Action 


Example: financial breach, smash-and-grab 

— Attackers are about to steal millions in cash 

— Attackers are not interested in maintaining access 

Immediate containment is likely justified 
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Prioritizing initiatives 
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• Targeted, persistent threats require a different 
approach for remediation success. 


• Redefine winning: such attackers will return. 


• Plan countermeasures that directly address 
the attack lifecycle to optimize chances of 
success. 




Contact information 


Jim.Aldridge at Mandiant.com 
703.224.2963 


About MANDIANT: 

MANDIANT is the information security industry's leading provider of incident response and 
computer forensics solutions and services. MANDIANT provides products, professional services 
and education to Fortune 500 companies, financial institutions, government agencies, domestic 
and foreign police departments and leading U.S. law firms. To learn more about MANDIANT visit 
www.mandiant.com, read M-unition, the company blog: http://blog.mandiant.com, or follow on 
Twitter @MANDIANT . 
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